Louisiana recently became one of seventeen states that have enacted laws banning employers and potential employers from demanding the usernames and passwords to personal online accounts, including social media, networking and email accounts, of employees and prospective employees. Louisiana’s “Personal Online Account Privacy Protection Act” (the “Act”), which became effective on August 1, 2014, prohibits employers from disciplining or terminating employees or failing to hire applicants for refusing to provide usernames and passwords to their personal online accounts.

While the Act allows employers to view, access and utilize online information concerning an employee or applicant that can be obtained without a username, password or other authentication information, it prohibits employers from requiring, or even requesting, that an employee or applicant disclose any “username, password, or other authentication information that allows access to the employee’s or applicant’s personal online account.” The definition of a “personal online account” is, however, limited to an account that the applicant or employee uses exclusively for personal communications unrelated to any business purpose of the employer. Further, the Act specifically excludes from protection those personal online accounts used by an applicant or an employee for business purposes or to engage in business-related communications.

There are other significant carve-outs from the protection provided to employees by the Act. For example, employers who have “specific information” that an employee may have acted improperly are not prohibited from conducting an investigation for the purpose of investigating work-related employee misconduct or the unauthorized transfer of the employer’s proprietary or confidential information. Additionally, employers retain their right to discipline an employee for transferring confidential information to the employee’s personal online account without authorization. Employers also have the right to restrict or prohibit an employee’s access to certain websites while using an electronic communication device paid for or supplied, in whole or part, by the employer or while using the employer’s network.

Employers should review their forms and human resources practices and policies to ensure compliance with the Act. Similarly, internal investigation protocols should be reviewed in light of the Act’s requirement for “specific information” prior to seeking protected password information from an employee. More importantly, managers and supervisors should be made aware of the restrictions placed upon an employer by the Act. The Act’s definition of “employer” includes any agent, representative or designee of the employer and, as such, the actions of managers and supervisors will likely be attributed to the employer. Accordingly, managers and supervisors should be trained to comply with the Act and instructed to refrain from requesting protected password information from employees and applicants, even on an informal basis, without first contacting the human resources department.

Please contact us for more information about the laws related to privacy rights in the workplace or if you need assistance with any other employment related matters.

Disclaimer: The information provided herein (1) is for general information only; (2) does not create an attorney-client relationship between the author or the author’s firm and the reader; (3) does not constitute the provision of legal advice, tax advice, or professional consulting of any kind; and (4) does not substitute for consultation with professional legal, tax or other competent advisors. Before making any decision or taking any action in connection with the matters discussed herein, you should consult with a professional legal, tax and/or other advisor who should be provided with all pertinent facts relevant to your particular situation. The information provided herein is provided “as is,” with no assurance or guarantee of completeness, accuracy, or timeliness of the information.